Articles By Topic

By Topic: Operations

Evolving threats, regulatory focus and innovation require every transaction to now include some technology, privacy and cybersecurity due diligence. A target’s problems in these areas can manifest themselves in painful ways, whereas a robust infrastructure can dramatically improve value. This article covers a recent ACA Aponix program that detailed key issues to consider when reviewing cybersecurity, information technology and regulatory compliance at target and portfolio companies. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017).

Once the initial fervor over GDPR implementation dies down, companies will have to ensure that their program is properly maintained long-term. This final installment of our three-part GDPR series for the financial sector addresses how to monitor and assess the program and examines special considerations – such as determining the identity of controllers and processors and accounting for Member-State specificities. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. Part two detailed specific compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

Even companies with mature information security practices must consistently reevaluate their needs and update their measures. The start of the year is a good time to stop and ensure that your organization is taking the right steps. The Cybersecurity Law Report spoke with several legal and technical experts for their advice on what companies should prioritize in 2018 and compiled the resulting top ten cybersecurity action items for a more secure new year. See also “Ten Cybersecurity Priorities for 2017” (Jan. 11, 2017).

IT’s important role in implementing a cybersecurity strategy is indisputable, but lawyers need to be at the table too given the risks, including regulatory implications of breaches and the growing possibility of ensuing litigation. With input from technical and legal experts, this three-part series addresses what attorneys need to understand about security technologies and what role they should play. This second installment explores these issues within efforts related to red-teaming, vulnerability scanning and social engineering. Part one addressed the knowledge base needed depending on the lawyer’s role, whether security certification is necessary, and the roles of technology and pen testing in mitigating risk. Part three will cover cloud security and the potential value of hacking back. See also our three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018); “Assessments and Incident Response” (Apr. 11, 2018); “Vendors and M&A” (Apr. 18, 2018).

Governments and regulators – including the SEC and the U.K. Financial Conduct Authority – are intensifying their scrutiny of financial services firms’ cybersecurity programs. At a minimum, firms must ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article discusses the roles of the CISO and CCO in cybersecurity programs, regulator priorities, steps firms can take to mitigate cyber risk, and the outsourcing of cybersecurity functions. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

Effective cybersecurity strategy requires the legal and security functions to work together when assessing third parties, either in the context of hiring a vendor or merging with or acquiring a new company. “I don’t think they’re coordinating very well,” Akin partner Michelle Reed told The Cybersecurity Law Report. With insight from Reed and technical experts, this third installment of our three-part series on when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program tackles coordination between the two teams on vendor assessments, M&A due diligence and combatting insider threats. Part two examined how both teams can coordinate on incident response and to assess risk and privacy impact. Part one covered how to structure corporate governance for optimal collaboration between these two groups. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017) and “Mitigating Cyber Risk in M&A Deals and Third-Party Relationships” (Jul. 6, 2016).

As regulators increasingly blend privacy and security issues, privacy officers and CISOs need to interact frequently to develop a healthy relationship for effective protection of key data. Our three-part series offers legal and technical expert advice on when and how these professionals should be communicating to build a strong working relationship for robust cybersecurity and data privacy programs. This second part examines how both teams can coordinate on incident response and for risk and privacy impact assessments. Part one covered how to structure corporate governance for optimal collaboration between these two groups. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

Effective protection of key data requires a healthy relationship and frequent interaction between the legal and security functions. As regulators increasingly blend privacy and security subject matter, privacy officers and CISOs need to work together to stay compliant. This three-part series addresses when and how legal and security professionals should be communicating to build strong working relationships for a robust cybersecurity and data privacy program. Part one covers how to structure corporate governance for optimal collaboration between these two groups. Part two will look at how both teams can come together to assess risk and privacy impact. Part three will tackle coordination between legal and security on vendor assessments and in the M&A context. See “How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

Despite an increasing number of technical and automated tools, organizations continue to be challenged by the large volume of data collected from disparate sources. GDPR compliance is only highlighting the need to understand, map and protect all that data. Shockingly, two-thirds of respondents in the 2018 EY Global Forensic Data Analytics Survey are either not familiar with GDPR, have heard of it but taken no action, or are studying it. Certainly, “one surprise from the survey was the general lack of readiness as it relates to data privacy and GDPR,” Todd Marlin, a principal at Ernst & Young, told The Cybersecurity Law Report. The article takes a closer look at the survey results and what companies might do to improve their operational approach and their use of forensic data analytics while meeting the requirements of GDPR and other privacy and security regulations. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

Building positive relationships between attorneys and technologists is a key way to avoid communication failures that can lead to costly results and delays. With insight from attorney and Aleada Consulting partner Kenesa Ahmad, this article provides guidance on how to successfully implement five specific strategies to improve collaboration among teams. See also “Tech Meets Legal Spotlight: Advice on Working With Information Security” (Jan. 11, 2017).

The start of the year brings new initiatives, new budgets and new risks. It is a good time to stop and ensure that your organization is taking the right steps. Even companies with mature information security practices must consistently reevaluate their needs and update their measures. The Cybersecurity Law Report spoke with several legal and technical experts to find out what they recommend companies prioritize in 2018 and compiled the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Ten Cybersecurity Priorities for 2017” (Jan. 11, 2017).

With increasing regulatory demands, including a growing number of domestic and international privacy and data security rules, compliance departments are often faced with a larger scope of work yet, a limited budget. ACA Compliance Group’s recent presentation, “Planning Your 2018 Compliance Budget,” offered timely insight on how CCOs and compliance personnel can approach the compliance-budgeting process, get buy-in from senior management, avoid common pitfalls and stretch limited resources. The program featured Lee Ann Wilson, an ACA senior principal consultant; Sean McKeveny, an ACA consultant; and Kara J. Brown, counsel at Sidley. See also “Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program” (Dec. 14, 2016).

Many organizations generate and hold metrics about their compliance program. This vital information can be used to measure the effectiveness of these programs and ultimately improve them, but only if it is gathered and analyzed effectively – and those can be challenging tasks. This article provides a roadmap for gathering and analyzing compliance data as well as continually using it to improve compliance programs. See also “Tracking Data and Maximizing Its Potential” (May 17, 2017).

Given the grave potential repercussions of data breaches, the C-suite needs to be aware of how the company is managing its cyber risk. Andrew Tannenbaum, chief cybersecurity counsel at IBM Corporation, spoke with The Cybersecurity Law Report about what to discuss with the C-suite during an evaluation of the company’s cyber risk programs. He also offered strategies for setting responsibility at various levels across the organization and for establishing a common language between internal stakeholders to effectively discuss and mitigate these risks. Tannenbaum will be a panelist at ALM’s cyberSecure conference on December 4 and 5, 2017, at the New York Hilton. A discount code for CSLR subscribers is inside this article. See also "How Cyber Stakeholders Can Speak the Same Language (Part One of Two),” (Jul. 20, 2016); Part Two (Aug. 3, 2016).

In-house privacy attorneys are constantly challenged to keep abreast of changing legal and regulatory requirements, obtain and maintain executive support, and work with internal stakeholders and outside counsel in economically viable ways. At a recent PLI event, privacy counsel from Google, JPMorgan Chase and Proctor & Gamble Company offered insight on the challenges that come with their roles, how privacy programs have grown, how they can be managed well despite the speed of change and how in-house lawyers can best work both with outside counsel and internal business teams. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017).

Increasing cyber threats and a shifting regulatory landscape have expanded the role of CCOs, who need to ensure proper cyber defenses are in place and regulatory compliance is up-to-date. The CCO must manage a capable team and monitor developments while continuously updating the company’s compliance program and efforts. In this guest article, Alaric Founder and CEO of Alaric Compliance Services Guy Talarico explores changing threat sources, regulatory priorities, best practices with an emphasis on SEC guidance, as well as the information sources a CCO must track to fulfill this critical and dynamic role. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

The general counsel plays a critical role in a company’s cybersecurity, especially in high-profile events, as the blame the Yahoo GC shouldered in the 2014 breach revealed. The GC must have the necessary authority to ensure the company develops appropriate proactive measures and must be able to take a leadership position after an event has occurred. Ronald Sarian, vice president and general counsel of eHarmony, spoke with The Cybersecurity Law Report about how the GC can obtain and exercise his or her authority, and his own efforts to develop incident response plans, training, communication and escalation protocols. He also discussed how he built a strong relationship with the company’s technical teams, what he learned from the 2012 cyber attack on eHarmony and what in-house counsel can learn from the DLA Piper breach. See also “Strategies for In-House Counsel Responsible for Privacy and Data Security” (Feb. 22, 2017) and “Increasing Role of Counsel Among Operational Shifts Highlighted by Cyber Risk Management Survey” (Nov. 16, 2016).

While surviving as a small or medium-sized business is challenging enough, the realization that the company could fail if it suffers a cyber attack adds another measure of stress. Knowing where to start and obtaining and allocating the right resources are key to ensuring adequate cybersecurity. Panelists at the recent Georgetown Cybersecurity Law Institute discussed ways that small and medium-sized businesses can take meaningful cybersecurity steps given their limited budgets and, in some cases, expertise. See “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

Even a small cyber incident can erupt into a major high-profile event depending on whether and how it becomes public. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers. In this second installment of our two-part article series on cyber crisis communication plans, experts offer advice on strategies for handling external communications to the media, regulators and other stakeholders, including specific questions companies might face; how to control and coordinate with a third-party vendor; and how to overcome common pitfalls and challenges. Part one covered key stakeholders and their roles, crucial playbook components and the benefits of planning ahead, and how to approach internal communications during a cyber crisis event. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

Even an organization with a highly mature cybersecurity risk-management program needs to keep pace with the changing legal and business landscape, and staying ahead of this challenge starts at the top. Just when the dust had started to settle from the widespread WannaCry attack, the ransomware attack dubbed Petya spread internationally, impacting government and commercial entities, including law firms. Using a hypothetical scenario based on starting a new business line involving financial services, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, recently offered advice on how to develop an information security risk management program; which key stakeholders are involved in the governance of the program; and how the CISO should interact with the program. In this second installment of our two-part article series, we hear from the chief risk officer on ideas for program revitalization and minimizing risk and from the general counsel on understanding and implementing applicable laws, and all four stakeholders provide practical takeaways. Part one set forth the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and strategy. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

Every cyber incident does not result in a far-reaching compromise or disclosure of personal or confidential information, but even a small incident can erupt into a major high-profile cyber event depending on whether and how it becomes public. The publicity surrounding these events can render them more serious than just the technical problem itself and raises the stakes on how companies respond. Because of the damaging effects press coverage can have, companies should be prepared with a thorough communications plan that contemplates more than just technical answers, experts told us. This first installment of our two-part series on breach communication plans discusses identifying key stakeholders and their roles, key playbook components and the benefits of advance planning, and offers advice on how to approach internal communications during a cyber crisis event. Part two will cover how to control and coordinate with a third-party vendor, strategies for handling external communications to the media, regulators and other stakeholders, and how to overcome common pitfalls and challenges. See also our three-part guide to developing and implementing a successful cyber incident response plan: “From Data Mapping to Evaluation” (Apr. 27, 2016); “Seven Key Components” (May 11, 2016); and “Does Your Plan Work?” (May 25, 2016).

Internal auditors can play an important role in identifying risks and data protection gaps, which is critical for any organization. In addition, internal auditors can ensure those identified vulnerabilities are being properly addressed and highlight necessary issues to executives and the board of directors. Richard F. Chambers, president and CEO of The Institute of Internal Auditors, spoke with The Cybersecurity Law Report about how internal auditors can enhance an organization’s cybersecurity program, including assessing risk, identifying areas of focus and communicating to the board and management about how effectively that risk can be managed. See “Using a Risk Assessment as a Critical Component of a Robust Cybersecurity Program (Part One of Two)” (Nov. 16, 2016); Part Two (Nov. 30, 2016).

Even an organization with a highly mature cybersecurity risk management program needs to keep pace with the changing legal and business landscape, and staying on top of this challenge starts at the top. Using a hypothetical scenario, executives from Dell, Amazon, Cybraics and Crowdstrike, playing the roles of the CEO, CISO, CRO and GC, offered advice on how to develop an information-security risk-management program; which key stakeholders are involved in governance of the program; and how the CISO should interact with the program. In this first part of a two-part article series, we present the facts of the simulation, the CEO’s concerns, and the CISO’s response to those concerns, particularly in connection with the resources needed and the strategy. In part two, we will hear from the chief risk officer and general counsel on the subject as well as the takeaways of all four stakeholders. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

Mounting responsibilities combined with lean staffs, underfunding, and a reputation for restricting business ideas present challenges to privacy officers. The demands of the job coupled with the realities of the workplace have inspired some of them to develop creative approaches to what remains a fundamental and seemingly universal challenge for businesses large and small: safeguarding personal information successfully at a doable cost. “We all scratch our heads on the same kinds of questions and have tried different experiments on how to be more effective in our programs,” observed Lauren Steinfeld, CPO of Penn Medicine, during a recent IAPP Global Summit panel. She was joined by the CPOs of Comcast and PepsiCo as well as the SVP, data management at MasterCard. We cover their advice on ways to maximize benefits of privacy programs while working with limited resources. See also “Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program” (Dec. 14, 2016).

Britain’s formal withdrawal process from the E.U. has begun, and while E.U. treaties will shape what that process will look like, the timeline for Brexit is fluid and its effect on the European business climate is unclear. At SCCE’s 5th Annual European Compliance & Ethics Institute recently held in Prague, a panel of experts discussed the Brexit procedure, and what it may mean for compliance in the U.K. The panel included Matthew Holehouse, a journalist at MLEX Market Insight; Keith Benjamin, the global director and head of compliance for Jaguar/Land Rover; and André Bywater, a partner at Cordery Compliance. The panel was moderated by Jonathan Armstrong, who is also a partner at Cordery. See “How Will Brexit Affect U.K. Data Protection and Privacy Laws?” (Jul. 6, 2016).

Experts agree that network monitoring is a critical proactive cybersecurity measure. But complexities arise that require cross-department coordination and deep understanding of numerous privacy limitations and other legal requirements. The second installment of this two-part series provides operational guidance on implementing monitoring programs and navigating contrasting rules in Europe, as well as issues surrounding individual monitoring, monitoring for non-security purposes, and data controlled by third parties. The first part tackled the role of data monitoring, effective notice, legal considerations, and specific policy considerations. See also “Do You Know Where Your Employees Are? Tackling the Privacy and Security Challenges of Remote Working Arrangements” (May 25, 2016).

In preparation for a public offering, companies should expect scrutiny of their cybersecurity risks and the measures they take to address them, just as they do with other aspects of their business. Cyber risks and incidents can derail an IPO if they are not handled correctly. Gibson Dunn partners Andrew L. Fabens, Stewart L. McDowell and Peter W. Wardle spoke with The Cybersecurity Law Report about steps companies should take in preparing for an IPO, as well as the potential impact cybersecurity can have on the IPO process and stock price. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

Because a forensic investigation by a security firm often drives the critical path of incident response, companies are best positioned to respond quickly and effectively to potential incidents by identifying and onboarding a security firm before an incident arises. With a myriad of firms from which to choose, not only must a company carefully select the right one, but both sides must communicate effectively to build a trusting relationship. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these and other considerations. This third installment provides advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. Part two examined contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. See also “Key Strategies to Manage the First 72 Hours Following an Incident“ (Feb. 8, 2017).

Companies are increasingly turning to outside forensic firms for assistance with both proactive cybersecurity measures as well as incident response. To optimize the relationship, companies must carefully choose a firm, negotiate the right contract terms, and effectively collaborate with the chosen forensic service provider. With advice from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series on forensic firms addresses these considerations. This second part examines contract considerations, key terms and what companies should expect in deliverables. Part one explained the expertise of forensic firms, why they are used, and their role before and after an incident. Part three will provide advice on evaluating the forensic firm to determine if it has the right expertise and how to communicate and collaborate with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

Managing enterprise cybersecurity risk is a key obligation of a company’s general counsel and board of directors. The rapidly increasing frequency and sophistication of ransomware attacks in particular have made them a pervasive and challenging part of that enterprise risk. Debevoise partner Jim Pastore spoke with The Cybersecurity Law Report about what GCs and boards need to know about ransomware and how those stakeholders can effectively fulfill the board’s cyber-related fiduciary duty to the company. Pastore will be a panelist at Skytop Strategies’ Cyber Risk Governance conference on March 16, 2017 in New York. An event discount registration link is available to CSLR subscribers inside this article. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

After a company discovers a cybersecurity incident, it must understand exactly what happened and how it happened. That means bringing in the experts. The number of forensic firms from which companies can choose has grown along with the number and size of cyber breaches. How can companies evaluate the firms? What should be included in the contract? What should companies expect from these firms? How can they best collaborate with them for an effective and efficient investigation? With input from in-house and outside cybersecurity counsel as well as forensic and security experts, our three-part article series provides answers to these vital questions and others. This first part explains the expertise of forensic firms, why they are used, and their role before and after an incident. Part two will examine contract considerations, key terms and what companies can and should expect in deliverables. Part three will provide advice on how to evaluate the forensic firm to determine if it has the right expertise and how to communicate and work with these experts once they are brought on board. See also “Key Strategies to Manage the First 72 Hours Following an Incident” (Feb. 8, 2017).

Preparing for, preventing and responding to privacy and data security litigation are crucial aspects of the in-house attorney function. Key responsibilities for the role will often include developing training programs and privacy policies, working with the board, choosing the right outside counsel and effectively coordinating with them during major events. As part of a recent Practising Law Institute conference, a panel of in-house and outside attorneys from Greenberg Traurig, Glassdoor, Inc., Activision Blizzard and Pandora Media, Inc., discussed successful approaches to these tasks, as well as lessons learned from mistakes. See “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation (Part One of Two)” (Nov. 25, 2015); Part Two (Dec. 9, 2015).

The GDPR introduces the statutory position of the Data Protection Officer, who will have a key role in ensuring compliance with the regulation. But where and how does the DPO position function within the company? In this second installment in our two-part article series on the role, DPOs and counsel from around the world discuss how the DPO best fits in the corporate structure, and offer considerations for determining whether the role should be fulfilled internally or externally and five steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. Part one examined when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

Looking toward the GDPR’s May 25, 2018 implementation date, many organizations preparing for compliance are focused on the DPO role. While the position is not novel, the GDPR introduces new requirements. We spoke with experienced DPOs and counsel from around the world to clarify and shed light on the GDPR provisions and recent Article 29 Working Party guidelines relevant to the DPO role. This first part of our two-part series on the topic examines when appointing a DPO is mandatory, how to select a DPO, and the requisite skillsets and responsibilities of the role, including the difference between the DPO and other privacy compliance roles. Part two will discuss how the DPO best fits in the corporate structure, how to manage the budget for this role and steps companies can proactively take to ensure they are prepared to comply with the GDPR’s DPO requirements. See also “Navigating the Early Months of Privacy Shield Certification Amidst Uncertainty” (Nov. 2, 2016).

Escalating cyber threats, liability risks and the numerous legal and regulatory standards make it difficult for a company to know how to plan and prioritize security projects. During a recent webcast, ZwillGen attorneys Amy Mushahwar and Marci Rozen offered their advice on top-priority security projects for mitigating corporate risk, and discussed how to determine and understand applicable data security regulations and guidelines, as well as the potential liabilities and business harms that can arise from inadequate security. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

Cybersecurity risk management requires having the right leadership and governance in place, and within that structure lies the shifting role of the chief information security officer and its reporting lines. With input from CISOs, executive search experts and attorneys this article series provides insight into the most effective approaches to recruiting, compensating and structuring cybersecurity leadership roles. This second article in the series explains the problems with the current dominant CISO reporting structure and offers experts’ advice on effective governance as well as alternatives for companies that are not finding or cannot compensate a technical expert with executive-level experience. Part one covered how to find and compensate individuals for the multi-faceted cyber leadership role. “There’s a lot changing in the way people think about the CISO. There is a pretty fast-evolving set of responsibilities and reporting structure, especially given the increasing [attention to] security by the board of directors and others charged with the fiduciary responsibility of protecting a company,” Hertz CISO Peter Nicoletti told The Cybersecurity Law Report. See also our two-part series about the roles of the CISO and CPO, “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

Even companies that have mature information security practices in place must exercise constant vigilance by reevaluating their needs and improving their approaches. The Cybersecurity Law Report spoke with several experts to find out what companies should be focusing on and how they should allocate time and resources when setting cybersecurity priorities for 2017. In this article, we outline the resulting top ten cybersecurity action items for companies to tackle to ensure a more secure new year. See also “Cybersecurity Preparedness Is Now a Business Requirement” (Feb. 17, 2016).

Although most companies recognize that legal and technology teams need to collaborate closely to address cybersecurity challenges, they often fail to overcome barriers to effective coordination. In this interview, Holland & Knight partner Scott Lashway offers advice on how to bring legal and security teams together, such as by establishing a risk committee. See also “What CISOs Want Lawyers to Understand About Cybersecurity” (Jun. 8, 2016).

Managing the challenge of securing a company’s digital information while collaborating with other executive leadership is something that only a select group of individuals can do well. In this article series, The Cybersecurity Law Report spoke to CISOs, executive search experts and attorneys to examine what it takes to fulfill both of these crucial roles. This first article discusses the challenges of merging technology expertise with executive function, compensation expectations for cyber leaders, what companies should be (and are) looking for in candidates and the value of certifications. The second article will discuss the changing role of the CISO, including why many current reporting structures are not working, and what companies can do if they do not have the resources for or cannot find the right CISO. “Many organizations regard CISO and technology-risk executive recruitment as an increasingly daunting and complex process, and recognize that one size does not fit all,” Tracy Lenzner, founder and CEO of The Lenzner Group, a global executive search company, said. See “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two),” (May 6, 2015); Part Two (May 20, 2015).

The end of the year is often when companies evaluate their budgets, and it is a crucial time to make sure the CEO is educated about data privacy legislation and its potential repercussions. So, how can privacy officers best advocate for system-wide buy-in and budget support of their data privacy programs? At a recent panel at IAPP’s Practical Privacy Series 2016 conference, compliance leaders from Shire, CBRE and InterSystems discussed their three different operational approaches and practical tactics for making sure the compliance office has the tools and the budget it needs to comply with dynamic global data privacy regulations, including the GDPR. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

The core value of a risk assessment as a critical component of a robust cybersecurity program is in its findings and recommendations. With perspectives and advice from various experts, including the CISO of a large global cloud services provider, attorneys and technical consultants, this second part in our two-part series on risk assessments details what the written report should include, with whom it should be shared and how companies can use it to strengthen their cybersecurity program. It also provides recommended actions for assessment follow-up, explores common challenges to the process and offers tips and solutions to overcome them. Part one covered the scope and purpose of the assessment, the roles of internal stakeholders and third parties, and examined what the risk assessment evaluation process entails. See also “How In-House Counsel, Management and the Board Can Collaborate to Manage Cyber Risks and Liability (Part One of Two)” (Jan. 20, 2016); Part Two (Feb. 3, 2016).

As companies become more aware of the complexities of cyber risk, they are approaching not only preventative measures more collaboratively, but also risk management and insurance selection. A recent survey conducted by Advisen and Zurich North America shows operational shifts, including the increasing cooperation between IT and risk management, a heightened role for counsel and boards, as well as more reliance on external resources for post-breach efforts. The survey also reveals that the process of determining the right insurance coverage is also becoming part of this collaborative security effort. “Insurance in the cyber realm is not merely an instrument for transferring risk. Even the process of obtaining the insurance is viewed as a catalyst for driving and elevating enterprise-wide cybersecurity risk management,” Roberta Anderson, K&L Gates partner, told The Cybersecurity Law Report. See also “Building a Strong Cyber Insurance Policy to Weather the Potential Storm” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

For in-house privacy counsel, building a cohesive privacy program means leading the company, its employees and its vendors through regulatory landmines. While there is no one-size-fits-all approach, there are certain privacy program essentials applicable to most organizations, regardless of size or industry. At the recent Women, Influence and Power in Law Conference, Megan Duffy, founder of Summit Privacy and former privacy counsel at Snapchat, Inc., Tori Silas, senior counsel and privacy officer of Cox Enterprises, Inc. and Zuzana Ikels, principal at Polsinelli, shared advice on how the legal department can create and implement a strong privacy program, from initial considerations to key components. See also “Designing Privacy Policies for Products and Devices in the Internet of Things“ (Apr. 27, 2016).

The recent breaches of the U.S. Office of Personnel Management illustrate the importance of an effective information security program for businesses in both the public and private sector. A recently released exhaustive investigative report by the House Oversight and Government Reform Committee outlines findings and recommendations to help the federal government better acquire, deploy, maintain and monitor its information technology. “The [Report] is replete with recommendations that private sector entities should be considering seriously,” DLA Piper partner Jim Halpert told The Cybersecurity Law Report. This article summarizes the committee’s findings and examines valuable lessons applicable to both the public and private sectors. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

It is no surprise that a breach can have substantial repercussions for a company. However, Deloitte has found that the extent and the duration of those impacts are greater than even experts anticipated. Its recent study highlights both well-known and less expected breach impacts, such as an increased cost to raise debt in capital markets and devaluation of trade names. Some of these effects can linger for years. We examine seven subtle but significant breach impacts – painting a complete picture of where companies “actually feel pain,” a Deloitte principal told us – and how to lessen those impacts. See also “Picking up the Pieces After a Cyber Attack and Understanding Sources of Liability” (Apr. 13, 2016).

Shifting cybersecurity and data privacy regulations across industries and regions challenge many companies to frequently update their practices to remain compliant, not only at their home base, but also in other countries where they conduct business. Renard Francois, General Electric’s global chief privacy officer, spoke with The Cybersecurity Law Report in advance of ALM’s cyberSecure conference on September 27-28, 2016, at the New York Hilton, where he will participate as a panelist. An event discount code is available to CSLR readers inside this article. In our interview, Francois discusses some of the key ways GE’s privacy team approaches modifying practices to stay up-to-date with global regulations, and ensuring all stakeholders are informed and working collaboratively across businesses and departments. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer (Part One of Two)” (May 6, 2015); Part Two (May 20, 2015).

The way cybersecurity terminology is used can significantly affect how a cyber event is handled. Differences in the training and background of certain cybersecurity stakeholders, particularly technical and legal teams, however, may lead to inconsistent use of important terms in the context of security breaches and protocols. This second article of a two-part series highlights ten of the most frequently misunderstood cybersecurity terms, and provides insight on their meanings and implications from both legal and security experts. Part one of the series examined how to overcome cybersecurity stakeholder communication challenges and detailed six strategies for better interaction. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

In the areas of cybersecurity and data privacy, a company’s attorneys and technical teams must work together closely. The two groups often have different approaches, however, and may not speak the same language when it comes to handling security breaches and protocols. Commonly used terms can be used inconsistently, and their implications misunderstood. In this first article of a two-part series, attorneys and consultants with different perspectives share advice with The Cybersecurity Law Report on the importance of clear communication between key stakeholders. They also examine the different approaches to cybersecurity and detail six strategies for overcoming communication challenges. Part two of the series will explore frequently misunderstood cybersecurity terms and their meanings. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

Constantly evolving data privacy laws and heightened cyber threats place a large burden on the shoulders of chief privacy officers (CPOs). At a recent PLI panel, Keith Enright, the legal director of privacy at Google; Lauren Shy, the CPO of Pepsico; and Zoe Strickland, the global CPO at JP Morgan Chase, shared their thoughts on some of the recent challenges facing CPOs, including how to work with different departments, the CPO’s role in incident prevention and response, and the pros and cons of different cross-border data transfer mechanisms. The panel was moderated by Lisa J. Sotto, a partner at Hunton & Williams. See also “Establishing Strong Cybersecurity and Data Privacy Leadership: The Roles of the Chief Information Security Officer and Chief Privacy Officer” Part One (May 6, 2015); Part Two (May 20, 2015).

When it comes to handling cybersecurity issues, in-house counsel can help minimize the company’s legal risks – but they cannot do it alone. By partnering with an outside firm, in-house counsel can boast security expertise and navigate through unfamiliar territory such as compliance with local, state and national privacy and security requirements, data breach litigation and corporate governance. The Cybersecurity Law Report spoke to a number of in-house counsel who advise on cybersecurity issues at major companies such as ExxonMobil and IBM. They discussed eight attributes they look for in outside cybersecurity counsel, when they find outside counsel most valuable and the importance of vetting the firm’s own cybersecurity practices. See also “The Multifaceted Role of In-House Counsel in Cybersecurity” (Dec. 9, 2015).

Many companies recognize that an effective incident response plan can go a long way towards mitigating the consequences of cybersecurity incidents. However, they often make simple mistakes in implementing these plans, largely because they lack a comprehensive strategy to combat persistent cyber threats. In this final segment of our three-part series on the topic, we explore common deficiencies in response plans, challenges companies face when implementing a plan, how to use metrics to troubleshoot and advocate for plan resources, and estimated costs associated with investigating and remediating the inevitable breach. The article features exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part two set forth seven key components of a robust incident response plan. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

The growing number of individuals working remotely, telecommuting or traveling with increasing frequency has challenged the traditional business cybersecurity model. With the advent of new technologies that support remote working arrangements, the secure, clearly defined perimeter many organizations once enjoyed has become a bit less distinct. The Cybersecurity Law Report spoke to Heather Egan Sussman, a privacy and data security partner at Ropes & Gray, about the privacy and security implications for employees working remotely, both in the U.S. and abroad, and proactive measures companies can take to ensure proper protections are in place and that they are compliant with the relevant laws. See also “How to Reduce the Cybersecurity Risks of Bring Your Own Device Policies”: Part One (Oct. 14, 2015); Part Two (Nov. 11, 2015).

Organizations today face an overwhelming volume, variety and complexity of cyber attacks. Regardless of the size of an enterprise or its industry, organizations must create and implement an incident response plan to effectively and confidently respond to the current and emerging cyber threats. In this second part of our three-part series on the topic, we examine the seven key components of a robust incident response plan, with exclusive and in-depth advice from a range of top experts, including consultants, in-house and outside counsel. Part one covered the types of incidents the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Part three will explore implementation of the plan, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

Many organizations are coming to terms with the troubling fact that they will fall victim to a cyber attack at some point, if they have not already. An effective incident response plan can be one of the best tools to mitigate the impact of an attack – it can limit damage, increase the confidence of external stakeholders and reduce recovery time and costs. The Cybersecurity Law Report spoke with a range of top experts, including consultants, in-house and outside counsel, who answered some of the tougher practical questions that are typically left unanswered in this area. They shared in-depth advice on the subject based on their own challenges and successes. In the first article of this three-part series, we cover what type of incident the plan should address, who should be involved and critical first steps to take in developing the plan, including references to sample plans and practical resources. Parts two and three will examine key components of the plan, implementation, evaluating its efficacy, pitfalls, challenges and costs. See also “Minimizing Breach Damage When the Rubber Hits the Road” (Feb. 3, 2016).

The “bad guys” seeking to hack into systems of defense companies want sensitive information not for commercial success, but to do our nation and our allies harm, and that changes the cybersecurity equation, Raytheon’s John Smith told The Cybersecurity Law Report. In a Q &A, Smith, the vice president, cybersecurity and privacy, and general counsel of the global business services group at Raytheon, discusses how the Raytheon cybersecurity and privacy department is structured, when outside counsel is called in, how Raytheon approaches information sharing, why the new Department of Defense cybersecurity guidance is flawed, and more. See also “How the American Energy Industry Approaches Security and Emphasizes Information Sharing” (Mar. 2, 2016).

Many executives tasked with combatting cybersecurity threats lack necessary awareness and readiness, according to a survey commissioned by security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity & Building a Culture of Responsibility (the Survey Report) includes findings of an extensive study involving 1,530 non-executive directors, CEOs, CISOs and CIOs of major corporations around the globe. Using information from a combination of one-on-one interviews and a quantitative survey, the Survey Report highlighted seven key cybersecurity challenges facing boards and executives and provided actionable advice in these areas. We examine these findings, with input from Lance Hayden, managing director of Berkley Research Group, and author of People-Centric Security. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

Limited compliance resources can be a challenge, but there are ways to get the compliance message across without breaking the bank. Whether it is a cybersecurity or an anti-corruption compliance message, behavioral psychology can be used to encourage people to do the right thing in their jobs, Virginia MacSuibhne, vice president and general counsel of Ventana Medical Systems, explained during a recent Clear Law Institute program. MacSuibhne presented 20 inexpensive, but effective, communication tools that can be used to assure that a compliance message hits home. See “Defining, Documenting and Measuring Compliance Program Effectiveness” (Jan. 20, 2016).

One way for companies to integrate their internal and external commitment to data protection and privacy is by implementing a “privacy by design” mechanism, Sachin Kothari, director of online privacy and compliance at AT&T, Inc., explained during a recent ALM cyberSecure Conference. Kothari highlighted specific steps companies can take to effectively integrate such a program into their corporate governance structures. He was joined by Andrea Arias, an attorney in the Division of Privacy and Identity Protection at the FTC and Chaim Levin, chief U.S. legal officer at Tradition Group. This article examines Levin and Kothari’s insights on data security and privacy governance and best practices to meet the potentially competing demands of in-house, consumer and regulatory cybersecurity expectations. A future article will address Arias’ perspective on recent FTC guidance and cyber enforcement actions. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

How can companies make cybersecurity preparedness an integral part of their business practices? During a recent panel at ALM’s cyberSecure event, JoAnn Carlton, general counsel and corporate secretary at Bank of America Merchant Services, Edward J. McAndrew, Assistant U.S. Attorney and Cybercrime Coordinator at the U.S. Attorney’s Office, and Mercedes Tunstall, a partner at Pillsbury, gave their perspectives on steps companies can take to enhance cybersecurity. They discussed how the evolving nature of cyber attacks requires evolving business models. Simply establishing an incident response plan is not enough: companies must build privacy preparedness across the organization and engage in a continuous cycle of planning and response to stay ahead of cyber threats. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); “The Challenge of Coordinating the Legal and Security Teams in the Current Cyber Landscape (Part Two)” (Jul. 15, 2015).

“Cybersecurity is an enterprise risk issue that should ultimately rise to the level of the board of directors,” Ivan Fong, senior vice president, legal affairs and general counsel of 3M Company, advised. Understanding the role of the board, and counsel’s role working with the board, is integral for managing cybersecurity risk effectively. Part one of this two-part article series examines the increased role of directors in ensuring companies are appropriately protected against cyber threats and how management, including in-house counsel, should communicate with the board and keep it updated and informed. Part two will address the litigation risks faced by the board and individual directors and how to limit that liability, including details about the role directors should play to satisfy their fiduciary duties. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

The risks of having a cybersecurity compliance program that exists only on paper are well-known, but measuring whether the program is actually working, how it is working and documenting those findings for internal and external stakeholders present challenges. A recent program at the SCCE Annual Compliance & Ethics Institute considered how compliance professionals can measure and document steps taken to demonstrate the effectiveness of their compliance programs for cybersecurity and other areas of law. The program featured Scott Hilsen, a managing director at KPMG’s forensic unit and Jean-Paul Durand, a vice president and chief ethics and compliance officer at Tech Data Corporation. See also “Eight Ways Compliance Officers Can Build Relationships With the ‘Middle’” (Oct. 14, 2015).

Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task. Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution. In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program. Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well. The first article explored current regulatory expectations applicable to the financial services sector. See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

The enormous liability and costs that cyber incidents generate make cyber insurance a new reality in corporate risk management plans across industries. This article, the second article in the series, explores policy exclusions and pitfalls to watch out for, including lessons from recent cyber insurance coverage litigation and steps companies can take to increase the likelihood of insurance coverage under their cyber policy. Part one in the series covered navigating the placement proces – having the proper individuals involved, finding the right insurer and securing the best policy for your company. See also “Analyzing the Cyber Insurance Market, Choosing the Right Policy and Avoiding Policy Traps,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

To effectively advise corporations on cybersecurity issues, in-house counsel must navigate myriad issues that can vary across industries, state and international jurisdictions as well as privacy and information security contexts. A recent PLI program brought together privacy and information security counsel from various industries to share insights on the role of in-house counsel charged with securing business-critical and confidential data and technology. They discussed the different responsibilities for data privacy and cybersecurity professionals, international data privacy and protection laws, and offered strategies for in-house counsel to prevent internal cybersecurity threats, develop breach prevention and response policies and handle vendors. The panel was moderated by Lori E. Lesser, a partner at Simpson Thacher, and included top practitioners Rick Borden, chief privacy officer at the Depository Trust & Clearing Corporation; Nur-ul-Haq, U.S. privacy counsel at NBCUniversal Media; Michelle Ifill, senior vice president at Verizon and general counsel of Verizon Corporate Services; and Michelle Perez, assistant general counsel of privacy for Interpublic Group. See “Analyzing and Complying with Cyber Law from Different Vantage Points (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015); and Part Two, Vol. 1, No. 9 (Jul. 29, 2015).

With cyber attacks continuing to strike companies of all sizes, cyber insurance has become an important component of corporate risk management strategies. While cyber risk insurance can provide coverage for the litany of potential damages that a company may suffer in the wake of a data breach, it is wildly different from the usual insurance marketplace – it is nascent, changing and varied. This, the first article in our two-part series on getting the right cyber coverage in place, provides guidance on navigating the insurance placement process, selecting the individuals who should be involved, finding the right insurer and securing the best policy for your company. Part two will explore lessons from recent cyber insurance coverage litigation, including steps companies can take to increase the likelihood of insurance coverage under their cyber policy and what policy exclusions and pitfalls to watch out for. See also “Transferring Risk Through the Right Cyber Insurance Policy,” The Cybersecurity Law Report, Vol. 1, No. 15 (Oct. 28, 2015).

With the looming threats of post-breach litigation and regulatory enforcement actions, preserving privilege in connection with a company’s cybersecurity efforts – both before and after an incident – is critical to encouraging openness in assessing and addressing a company’s vulnerabilities. Unless companies take the proper steps, however, communications and other documentation that could have been protected by the attorney-client and work product privileges will be open to discovery. The first part of The Cybersecurity Law Report’s series on preserving privilege addressed pre-incident response planning and testing activities. This article, the second part of the series, addresses how to retain privilege during post-incident response efforts.

The attorney-client and work product privileges are powerful tools that assist companies in honestly examining cybersecurity gaps, preparing for incidents, and responding to breaches without concern that discussions and recommendations about a company’s vulnerabilities will be subject to future litigation. Those privileges are “a way of fostering an open consideration of the issues without fear it will necessarily have ramifications,” Alexander Southwell, a partner at Gibson Dunn, told The Cybersecurity Law Report. Preserving the privilege when preparing for a breach, however, is difficult unless a company properly distinguishes legal analysis from regular operational tasks. This article, the first of a two-part article series, addresses steps companies should take to preserve privilege in pre-incident response planning and testing activities. The second part will address how to retain privilege during post-incident response efforts.

With the dynamic nature of privacy concerns – caused by changing legal requirements, growing data collections and evolving technology – top privacy officers must manage a shifting realm with proactive communication, effective reporting lines and operational structures to ensure accurate implementation of privacy policies and protocols. Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO). Some confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report. In this two-part article series, we define and distinguish the roles of CPO and CISO. This article, the second of the series, focuses on the CPO, including core responsibilities, considerations for structuring reporting lines and hiring for the position. The first article focused on the CISO.

Growing cybersecurity demands on companies require effective reporting lines and operational structures to manage cybersecurity-related job functions. Experts agree that it is optimal to have both a Chief Cybersecurity Officer or Chief Information Security Officer (CISO) and a separate Chief Privacy Officer (CPO). Some companies confuse these positions, thinking “that the security person should know all things privacy and the privacy person should know all things security, and that is clearly not the case,” Michael Overly, a partner at Foley & Lardner told The Cybersecurity Law Report. In this two-part article series, we define and distinguish the roles of the CPO and CISO. Part One focuses on the CISO – including core responsibilities, best practices for structuring reporting lines, and considerations when hiring for the position – and Part Two will focus on the CPO.

As companies store more and more data and increasingly rely on that data for a variety of purposes, they are starting to integrate data management into all aspects of the business. In this interview with The Cybersecurity Law Report, Donna L. Wilson, a partner at Manatt, Phelps & Phillips and co-chair of the firm’s Privacy and Data Security practice, discussed how companies should be implementing holistic information governance as part of enterprise risk management by stressing the importance to the board of directors, designating a corporate “conductor” to bring various stakeholders within the organization together, and conducting an internal inventory to understand what information assets the company has and needs to protect. Wilson also commented on the efforts to share threat information between and among financial firms and law firms.

A lack of coordination among company units can be detrimental in many business areas, but when it comes to cybersecurity, isolated actions and decisions can pave a clear path to a data breach, and exacerbate the legal ramifications of that breach. In a guest article, Jennifer Topper of Topper Consulting explains: why cross-functional decisionmaking is so important in cybersecurity; how to make the business case for investing in proactive cyber planning; how to integrate the cybersecurity program; how to create a multidisciplinary group of stakeholders; and the role of the general counsel in information governance.